Standard access-list example on Cisco Router

Hello Shivam

There is one more command that needs to be applied beyond what you have included in your post. As shown in the lesson, you must apply the ACL that you have created like this:

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 1 in

This command applies the ACL in an inbound direction on the interface. So the filtering will be applied to packets that are ingressing on the interface.

So, with this scenario, R2 has been configured to filter incoming packets on the Fa0/0 interface. It has been set up to allow only those packets with a source IP address within the 192.168.12.0/24 network. The implicit deny any statement at the end filters out all other packets. The direction you apply on the access-group command indicates whether the ACL filtering is applied on ingress or egress packets.

I don’t fully understand the question either! But I think it has to do with best practices concerning where to place standard access lists. I answered him as best I could in the following post:

I hope this has been helpful!

Laz

Hi Rene /Laz ,

Hope you are doing well ,

Can you help me to understand what is local generated traffic and how we can filter it on router

Some posts discuss using Control Plane Policing and the Extended Outbound ACL to filter locally generated traffic. I’m not sure how to interpret this as I’ve been stuck on the same topic for the last ten days, and my ENCOR exam is next month.Please take the necessary action and provide a scenario.It really urgent me to finish this topic any how and see the snap it totally contradict if u read the post answered by rene on same


what it means router will not filter the traffic that is destined to router itself , can you explain it more in details ?

Regards
Shivam Chaudhary

Hello Shivam

The two types of traffic that are described here have to do with what device is generating the traffic and what device is receiving the traffic.

Take a look at this topology:

image

  • Transient traffic is traffic that goes through a router, but the source and destination IPs found within the packets DO NOT belong to the router itself. When H1 sends a packet to H2, it has a source address of 192.168.12.1 and a destination address of 192.168.34.4. When R2 receives this packet, since the source and destination IP addresses do not belong to R2, it will forward it along based on the routing rules. For R2, this is transient traffic. Traffic that goes through but is not destined for R2.
  • Locally generated traffic is traffic that the router itself creates and generates. For example, R2 may send an OSPF update to R3. The source IP address of that OSPF update is 192.168.23.2, which is R2’s IP address. It is sourced from the router R2 itself, thus it is locally generated. Similarly, R3 will receive this OSPF update and it will see that the destination address is its own. R2 will never filter this outgoing traffic since it has its own IP address as the source address in the packet, and R3 will never filter this incoming traffic because the destination address is its own.

The only way to filter traffic that is generated by the router itself, or is destined to the router itself is to use Control Plane Policing (CoPP).

I hope this has been helpful!

Laz

1 Like

Hi Laz ,

Once more, why do you emphasize using an extended access list to filter locally generated traffic, and when does control plane policing become relevant?

Help me to what Rene want to explain it here

Many thanks for the support

Regards
Shivam chaudhary

Hello Shivam

My apologies. That post contained incorrect information. I have updated it so that it is now correct.

Control Plane Policing or CoPP becomes relevant because only with CoPP can you filter traffic that is generated by a local interface on the device itself. Otherwise, normal ACLs that are applied to interfaces will not filter any such traffic.

I hope this has been helpful!

Laz

1 Like

Hi Laz ,

Thank you very much now will come again on new topic with new doubts

Regards
Shivam

1 Like